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Abstract — A Multi-hop Control Network (MCN) consists of 
a plant where the communication between sensors, actuators 
and computational unit is supported by a wireless multi-hop 
communication network, and data flow is performed using 
scheduling and routing of sensing and actuation data. We 
characterize the problem of detecting the failure of links of the 
radio connectivity graph and provide necessary and sufficient 
conditions on the plant dynamics and on the communication 
protocol. We also provide a methodology to explicitly design the 
network topology, scheduling and routing of a communication 
protocol in order to satisfy the above conditions. 

I. Introduction 

Wireless networked control systems are spatially dis- 
tributed control systems where the communication between 
sensors, actuators, and computational units is supported by a 
shared wireless communication network. Control with wire- 
less technologies typically involves multiple communication 
hops for conveying information from sensors to the controller 
and from the controller to actuators. The use of wireless 
networked control systems in industrial automation results 
in flexible architectures and generally reduces installation, 
debugging, diagnostic and maintenance costs with respect 
to wired networks. The main motivation for studying such 
systems is the emerging use of wireless technologies in 
control systems (see e.g., [1], [2], and [3]). 

Although Multi-hop Control Networks (MCNs) offer 
many advantages, their use for control is a challenge when 
one has to take into account the joint dynamics of the plant 
and of the communication protocol. Wide deployment of 
wireless industrial automation requires substantial progress 
in wireless transmission, networking and control, in order to 
provide formal models and verification/design methodologies 
for wireless networked control system. The design of the 
control system has to consider the presence of the network, 
as it represents the interconnection between the plant and 
the controller, and thus affects the dynamical behavior of 
the system. The analysis of stability, performance, and relia- 
bility of real implementations of wireless networked control 
systems requires addressing issues such as scheduling and 
routing using real communication protocols. 

Recently, a huge effort has been made in scientific research 
on Networked Control Systems (NCSs), see [4], [5], [6], [7], 
and [8], and references therein for a general overview. 
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However, the literature on NCSs usually does not take 
into account the non-idealities introduced by scheduling 
and routing communication protocols of Multi-hop Control 
Networks. In [9], a simulative environment of computer 
nodes and communication networks interacting with the 
continuous-time dynamics of the real world is presented. To 
the best of our knowledge, the only formal model of a Multi- 
hop Control Network has been presented in [10], [11], where 
the modeling and stability verification problem has been 
addressed for a MIMO LTI plant embedded in a MCN, when 
the controller is already designed. A mathematical frame- 
work has been proposed, that allows modeling the MAC 
layer (communication scheduling) and the Network layer 
(routing) of the recently developed wireless industrial control 
protocols, such as WirelessHART (www . hartcomm2 . org) 
and ISA-100 (www . isa . org). 

Consider the networked control architecture illustrated in 
Figure 1, that consists of a plant V interconnected to a con- 
troller C via two multi-hop wireless communication networks 
G-r. and Go- We proved in [12] that for any time-invariant 
topology i of Gu and Go, characterized by at least one path 
between the controller and the plant, it is always possible 
to design a controller C,;, a routing and a scheduling to 
arbitrarily assign the eigenvalues of the closed loop system. 
Consider the following two application scenarios. In the first 
scenario (e.g. the mine application investigated in [13]), an 
industrial plant is connected to a controller via a multi-hop 
wireless communication network: the graph topology of the 
wireless network is time-varying because of link failures and 
battery discharge of the communication nodes. In the second 
scenario, a plant is connected to a controller via a swarm 
of mobile agents (e.g. robots [14] or UAVs [15]) equipped 
with wireless communication nodes: the graph topology of 
the wireless network is time-varying because of motion of 
the agents. In both scenarios, the time-varying topology 
perturbs the dynamics of the interconnected system N, and 
the controller is required to detect the current topology i of 
G-ji and Go to apply the corresponding control law Cj. 

In this paper we suppose that the topology of Gn and 
Go is time-varying because of link failures, and provide a 
methodology to detect the set of faulty links using Fault 
Detection and Identification (FDI) methods. In the taxonomy 
of fault diagnosis techniques, we leverage on the model- 
based approach introduced by the pioneering works in [16], 
[17] on observer-based FDI, later pursued in [18] for linear 
systems and in [19] for non-linear systems. 

As can be inferred from the recent survey [20], fault 
tolerant control and fault diagnosis is one of the main issues 
addressed in the research on NCSs. However, most of the 




Fig. 1 . Proposed control scheme of a MCN. 



existing literature on NCSs fault diagnosis (e.g. [21], [15]) 
usually addresses communication delays, and does not con- 
sider the effect of the communication protocol introduced 
by a Multi-hop Control Network. In [22], a procedure to 
minimize the number and cost of additional sensors, required 
to solve the FDI problem for structured systems, is presented. 
In [23], the design of an intrusion detection system is 
presented for a MCN, where the network itself acts as 
the controller. Our modeling framework differs from that 
developed in [23], since we model the MCN as an input- 
output system where the wireless networks transfer sensing 
and actuation data between a plant and a controller (they are 
relay networks), while in [23] the MCN is an autonomous 
system where the wireless network itself acts as a controller. 
Moreover, in our model we explicitly take into account the 
effect of the scheduling ordering of the node transmissions 
in the sensing and actuation data relay. 

Our work differs from the existing literature since we 
characterize the communication link failures detection prob- 
lem in a MCN as a FDI problem, and state necessary and 
sufficient conditions on the plant dynamics and on the com- 
munication protocol. Moreover, we provide a methodology 
to explicitly design the network topology, scheduling and 
routing of a communication protocol in order to satisfy link 
failure detection conditions of a MCN for any failure of 
communication links. The explicit design of scheduling and 
routing is a fundamental aspect of our contribution. In fact, as 
evidenced in [13], when applying a wireless industrial control 
protocol to the real scenario the topology of the wireless 
network introduces hard limitations in the choice of the 
scheduling. This is due to the fact that most of the wireless 
industrial control protocols suggest that the communication 
scheduling satisfies a specific ordering (see [13], [24] for 
more details). The results in [12] and in this paper mitigate 
these constraints, by proving that it is not required to perform 
scheduling according to a specific ordering. This allows to 
strongly reduce the scheduling length, as illustrated in [12]. 

II. Modeling of MCNs 

The challenges in modeling MCNs are best explained by 
considering the recently developed wireless industrial con- 
trol protocols, such as WirelessHART and ISA- 100. These 
standards require that designers of wireless control networks 



define a communication scheduling for all communication 
nodes of a wireless network. For each working frequency, 
time is divided into slots of fixed duration A, and groups 
of IT time slots are called frames of duration T = LTA 
(see Figure 2). For each frame, a communication scheduling 
allows each node to transmit data only in a specified time 
slot and frequency, i.e. a mixed TDMA and FDMA MAC 
protocol is used. The communication scheduling is periodic 
with period IT, i.e. it is repeated in all frames. The standard 
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Fig. 2. Time-slotted structure of frames. 



specifies a syntax for defining scheduling and routing and a 
mechanism to apply them, but the issue of designing them 
remains a challenge for engineers and is currently done using 
heuristic rules. To allow systematic methods for designing 
the communication protocol configuration, a mathematical 
model of the effect of scheduling and routing on the control 
system is needed. 

Definition 1: A SISO Multi-hop Control Network is a 
tuple N = {V, G-ji, Vn, G a , rjo, A) where: 

• V = {Aj, , Bj, , C-p) models a plant dynamics in terms 
of matrices of a continuous-time SISO LTI system. 

> G-jz = (Vjz, E-jz,W-jz) is the controllability radio con- 
nectivity acyclic graph, where the vertices correspond 
to the nodes of the network, and an edge from v to 
v 1 means that v' can receive messages transmitted by 
v through the wireless communication link (v, v'). We 
denote v c the special node of Vjz that corresponds to 
the controller, and v u G Vr the special node that 
corresponds to the actuator of the input u of V. The 
weight function W-r : E-r — > M + associates to each 
link a positive constant. The role of W-r will be clear 
in the following definition of 7]-r. 

• r)n : N —5- 2 Bw is the controllability communication 
scheduling function, that associates to each time slot 



of each frame a set of edges of the controllability 
radio connectivity graph. Since in this paper we only 
consider a periodic scheduling that is repeated in all 
frames, we define the controllability communication 
scheduling function by i]jz- {1,...,II} — > 2 Elz . The 
integer constant II is the period of the controllability 
communication scheduling. The semantics of ij-jz is that 
(v, v') G r](h) if and only if at time slot h of each 
frame the data content of the node v is transmitted to 
the node v', multiplied by the weight W-r (v,v'). We 
assume that each link can be scheduled only one time 
for each frame. This does not lead to loss of generality, 
since it is always possible to obtain an equivalent model 
that satisfies this constraint by appropriately splitting the 
nodes of the graph, as already illustrated in the memory 
slot graph definition of [11]. 
> Go = (Vo,Eo, Wo) is the observability radio connec- 
tivity acyclic graph, and is defined similarly to G-jz- We 
denote with v c the special node of Vq that corresponds 
to the controller, and v y G Vq the special node that 
corresponds to the sensor of the output yofV. 

• r]o : {1, . . . , 11} — > 2 E ° is the observability commu- 
nication scheduling function, and is defined similarly 
to t]tz- We remark that II is the same period as the 
controllability scheduling period. 

• A is the time slot duration. As a consequence, T = UA 
is the frame duration. 

Definition 1 allows modeling communication protocols that 
specify TDMA, FDMA and/or CDMA access to a shared 
communication resource, for a set of communication nodes 
interconnected by an arbitrary radio connectivity graph. In 
particular, it allows modeling wireless multi-hop commu- 
nication networks that implement protocols such as Wire- 
lessHART and ISA- 100. Our MCN model differs from the 
framework developed in [11], since it allows modeling redun- 
dancy in data communication sending control data through 
multiple paths in the same frame and then merging these 
components according to the weight function. This kind of 
redundancy is called multi-path routing (or flooding, in the 
communication scientific community), and aims at rendering 
the MCN robust with respect to link failures and to mitigating 
the effect of packet losses. 

For any given radio connectivity graph that models the 
communication range of each node, designing a scheduling 
function induces a communication scheduling (namely the 
time slot when each node is allowed to transmit) and a multi- 
path routing (namely the set of paths that convey data from 
the input to the output of the connectivity graph) of the 
communication protocol. Since the scheduling function is 
periodic the induced communication scheduling is periodic, 
and the induced multi-path routing is static. 

We define a connectivity property of the controllability 
and observability graphs with respect to the corresponding 
scheduling. 

Definition 2: Given a controllability graph G-jz and 
scheduling 777^, we define G-]z(rnz(h)) the sub-graph of G-jz 
induced by keeping the edges scheduled in the time slot h. 



We define Gn(vn) = U Gnivnih)) the sub-graph of G n 

h=i 

induced by keeping the union of edges scheduled during the 
whole frame. 

Definition 3: We say that a controllability graph G-jz is 
jointly connected by a controllability scheduling rj-jz if and 
only if there exists a path from the controller node v c to the 
actuator node v u in Gtz(t]tz)- 

The above definitions can be given similarly for observability 
graph Go and scheduling r/o- 

The dynamics of a MCN N can be modeled by the 
interconnection of blocks as in Figure 1. The block Pt is 
characterized by the discrete-time state space representation 
(A-p , B-p , C-p) obtained by discretizing (A^, , B^, , C£) with 
sampling time T = IIA. We assume that the plant V is 
stabilizable and detectable, and that V = (Aj,, Bj,,Cp) 
is the controllable and observable minimal representation. 
If this assumption does not hold, then even with an ideal 
interconnection between the controller and the plant it is 
clearly not possible to stabilize the closed loop system, and 
the control scheme in Figure 1 looses any interest. 

The block G-jz models the dynamics introduced by the 
data flow of the actuation data through the communication 
network represented by Gjz according to the applied con- 
trollability scheduling rjjz- In order to define the dynamical 
behavior of Gr, we need to define the dynamics of the data 
flow through the network, according to the scheduling 77-r,. 

We associate to the controller node v c a real value /i c (kT) 
at time k, and we assume that v c is periodically updated 
with a new control command at the beginning of each frame 
and holds this value for the whole duration of the frame. 
Formally, fi c (kT) = u(kT). 

The dynamics of the other nodes needs to be defined at 
the level of time slots. We associate to each other node 
Vj G Vjz \ {v c } a real value fJ,i t j(h) at time slot h for 
each node Vi belonging to the set inc(vj) = {v G Viz : 
(v,vj) G E-jz} of edges incoming in Vj. 

When the link from Vi to Vj is not scheduled at time slot 
h, the variable Pi.j(h) is not updated. When the link from 
Vi to Vj is scheduled at time slot h, the variable Pi.j(h) is 
updated with the sum of the variables associated to node Vi 
in the time slot h multiplied by the link weight WTz(vi,Vj). 
Formally, for each Vj E Vjz\ {v c } and for each time slot 
hG {!,..., II}: 



Hi,j{h) if (vi,Vj) £ rm(h), 
k if {vi,Vj) G rfo{h). 



Finally, the actuator node v u periodically actuates a new 
actuation command at the beginning of each frame on the 
basis of its variables /jj iU , and holds this value for the whole 
duration of the frame. Formally, 

u{kT) = ]T Hi, u (kT). 

ViGinc(v u ) 



The following proposition proved in [12] characterizes the 
dynamics of Gn at the level of frames, induced by the data 
flow through the network at the level of time slots. 

Proposition 1: [12] Given Gn and rjn, the controllability 
graph can be modeled as a discrete time SISO LTI system 
with sampling time equal to the frame duration T = IIA, 
and characterized by the following transfer function: 



III. Fault Detection on MCNs 

In this section we provide a methodology to detect the 
current dynamics of a MCN subject to link failures using 
Fault Detection and Identification (FDI) methods. The failure 
of a set of links / C En U Eq on the dynamics (1) can be 
modeled as follows: 
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where Dr e N is the maximum delay introduced by Gr, 

and W g {1, . . . , D n - 1}, 7fc(d) e M+, m{D n ) / 0. 
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Fig. 3. Transfer function of the MCN interconnected system. 

Go(z) can be computed similarly. The dynamics of a 
MCN N can be modeled as in Figure 3, where each block is 
a discrete time SISO LTI system with sampling time equal 
to the frame duration, characterized by the transfer functions 
Gr(4 Pt{z) and Go{z). 

Let x G R n °, x v G K' ip and x n G be 
respectively the states of the observability graph, of the 
plant, and of the controllability graph. We will denote by 
x = [ X J) x v x n ] tne extended state of N, with 
x G K n , and n — uq + n-p + wr.. The dynamics of N can 
also be described by the following state space representation: 



x((k + 1)T) = Ax(kT) + Bu{kT), y{kT) 
u(kT), y(kT) G M, 

with: 
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The matrices (Aq, £?e>, Co) are defined similarly. 



where rrif(kT) : N — > M. n+1 is an arbitrary function of time 
and Lf-. W l+1 — > E™ is called the failure signature map 
associated to the configuration of failures /. We define the 
failure signature maps as in Figure 4: 

where the d-th components Sn,f(d) and 6oj(d) of the 
row vectors 5-ji.f = [ ^tij{Dti) ••■ ^./(l) ] and 
Sqj = [ 5oj(Do) ■■■ S j(l) ] are the pertur- 
bations introduced by the configuration of failures / in 
the paths of G-r, and Go characterized by delay d. Since 
lTi{d) > and jo{d) > 0, and a failure of each path reduces 
the value of the corresponding component, then 5nj(d) > 
and So,f(d) > for each / C En U Eq- In the absence of 
failures L = nx( „ +1) . 

The signal m/(fcT) depends on the protocol applied 
by the communication nodes when the configuration of 
failures / occurs. By an appropriate choice of rrif(kT), 
it is possible to model by (2) the dynamics of N when 
a failure occurs in the set of links /, for any protocol 
applied by the communication nodes in case of failure. 
As an example, if a node sets to the data contribution 
incoming from a faulty link, then we can model this be- 
havior by defining m f (kT) = [ x{kT) T u(kT) T ] T . 
If a node uses the latest data received from a faulty 
link, then we can model this behavior by defining 
m f (kT) = [ x(kT) T u(kT) T ] T + v, with v G E n+1 
a constant vector of real numbers. 

To perform failure detection of a MCN with the aim 
of applying an appropriate control law for each dynamics 
induced by all failure configurations, we first need to define 
the set $ C 2 EkUEo of failures we are interested in 
distinguishing. In fact, we need to distinguish two failures 
induced by sets of links /, /' only when they introduce 
different perturbations of the dynamics (1), namely when 
Lfirif(kT) ^ Lf/irif/(kT). For this reason, we define $q 
the set of equivalence classes [/], each consisting of sets 
of links that affect the dynamics (1) by means of the same 
representative failure signal Lfmf(kT): 

[/] = {/' En U E :Vk>0,L fl m f ,(kT) = L f m f (kT)}. 

For simplicity of notation, we will denote in the following 
the equivalence class [/] by a representative set of links ip G 
[/]. In order to take into account simultaneous failures, we 
define the subset $s C $n of equivalence classes such that 
the perturbation introduced can be obtained as the sum of 
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Fig. 4. Matrix Lf. 



perturbations introduced by equivalence classes of $ n : 



$ 5 



|/G*n: (3peN,3/ 1 ,...,/ p e*n\/: 



L f m f (kT) = Y J L fi m h {kT)) 



i=i 

Define the set of failures as $ = <I>q \ $£. $ always 
contains the equivalence class 0, that corresponds to the 
absence of failures. It is easy to prove that the set $ always 
exists and is unique. For this reason, we can associate to any 
given MCN N the corresponding unique set of failures $ we 
are interested in distinguishing, and model their simultaneous 
occurrence as follows: 



x((k + 1)T) = Ax(kT) + Bu(kT) 
y{kT) = Cx{kT). 



^ L ip m ip (kT), 



(3) 



Given a MCN N and the corresponding faulty set $ 
modeled by (3), we address the problem of detecting a failure 
if e $ that is perturbing the dynamics of N by using the 
measures of the signals u(-), y(-). To this aim we leverage on 
the model-based approach developed in [18], which exploits 
a bank of LTI observer-like systems (called the residual 
generators) that take as input the signals u(-), y(-), and 
provides asymptotic estimates of m lp (kT) for any failure 
This allows to identify which failures are affecting 
the dynamics of TV. The problem of designing such residual 
generators with arbitrary asymptotic convergence rate on 
the model (3) is well known as the Extended Fundamental 
Problem in Residual Generation (EFPRG). Necessary and 
sufficient conditions for solving the EFPRG have been stated 
in [18]: 

Theorem 2: Given the failure model (3), the EFPRG has 
a solution for the failure ip 6 $ if and only if: 

S*(£ v )n£ v =0, (4) 

where £ v := E V ' G $\ V C v' ■ 

Given any £ C K™, the computation of S*{C) can be 
performed by applying the (C,A)-Invariant Subspace Algo- 
rithm (CAISA) and the UnObservability Subspace Algorithm 
(UOSA), recursive algorithms provided in [25]. We define 
W*(£) the fixed point of the following recursion (CAISA): 

W fe+ i(£) = £ + A(W k (£)nAf(C)), Wo(C)=0. 

We define S*(C) the fixed point of the following recursion 
(UOSA): 

S k+1 (£) = W*(£) + A- 1 (S k (£))nAf(C), S (jC) =R n . 



The following lemma provides a useful property of the 
CAISA and UOSA Algorithms. 

Lemma 3: Let £ C 7V- L (C), then W*(C) = C, 
and S*(C) = C + K with K C M(C). Moreover, if 
C = (A/"(C))\ then S*{C) = R n . 
Proof: Let C C (N{C))^, then 

Wi(C) = £ + A(0n M{C)) =£ + A(0) = C, 
W 2 (C) = C + A(CnM(C)) =C + A(0) = C = W*(C). 
For each k > 0, 

S k+1 (£) = £ + A- 1 (S k (£)) C\Af(C) = £ + JC k , 
with JC k C JV(C). Moreover, if £ = {N{C))^ 7 then: 
5i(£) =£ + A- 1 (R")nAA(C) =£ + R"nAA(C) 

= £ + M{C) = (AA(C)) ± +AA(C) =K n =«S*(£). 

■ 

For the sake of clarity, we address the link failure detection 
problem starting by two special cases. In the first case, we 
consider a multi-hop interconnection between the controller 
and the actuator and a single-hop interconnection between 
the sensor and the controller, namely the controllability graph 
Go consists of two nodes connected by one link. In the sec- 
ond case, we consider a single-hop interconnection between 
the controller and the actuator, namely the controllability 
graph G-jz consists of two nodes connected by one link, 
and a multi-hop interconnection between the sensor and 
the controller. In the third case, we consider the general 
case when both G-jz and Go are multi-hop communication 
networks. 



A. G-jz multi-hop and Go single-hop 
If Go consists of a single-hop, then no 
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Bq = Co = L As illustrated in [18], each L v can be as- 
sumed monic with no loss of generality, since when failures 
are not present the corresponding components of m v (kT) are 
identically zero. For this reason, by an appropriate choice of 
m lp (kT), we define the L v in (3) as follows: 

Or 
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where S v S (R,|) IlK is a row vector and L v 



The following theorem states a negative result. 

Theorem 4: Let a MCN N and the corresponding faulty 
set $ be given, where G-jz is multi-hop and Go is single- 
hop. Then the EFPRG can be solved for each <p 6 $ if and 
only if |$| < 2. 



Proof: (sufficiency) If |<f>| = 1 then $ = {0}, and 
failures are not defined. If |<I>| = 2 then $ = {0,p}. 
Therefore, £ v — C and C = C v . Since C = 0, it is easy 
to derive that S*{C V ) C\C = and that S*(C ) C\C V = 0. 

(necessity) Assume that |$| > 2. Note that all the ele- 
ments of the matrix L v are zeros, except the (no+n-p + l)-th 
row. For this reason: 

V tp G C v = span[e no+nv+1 ] := C U - 

Thus, for each tp G jC v = C-jz- Since £ v C S*(£ v ), for 
each j;6$ the following holds: 

S* (C v ) D£ V = S* (C n ) C\C n = C n ^0. 



The above theorem states that if the controllability graph 
is multi-hop and the observability graph is single-hop, then 
it is not possible to distinguish failures in a set $, unless $ 
is trivial. In the following section, we will show that more 
can be done if the controllability graph is single-hop and the 
observability graph is multi-hop. 

B. G-R, single-hop and Go multi-hop 

If G-jz consists of a single-hop, then n-jz = 1, A-jz = 
0, B-ji — Ck — 1- Using the same reasoning as in the 
above section, we can define a set $ of equivalence classes 
of link failures that equally perturb the dynamics (3). Since 
in this case the failures occur in the observability graph, by 
an appropriate choice of m v (fcT) we define L v : M. n ° — s> 
K" the failure signature map associated to the equivalence 
classes tp G $: 







(n— 1) xno 



(5) 



where 5 V G 



l^) n ° is a row vector and each component 



8 v {d) is the perturbation introduced by a failure ip in the 
paths of Go characterized by delay d. The following theorem 
motivates an extension of the model (3). 

Theorem 5: Let a MCN N and the corresponding faulty 
set $ be given, where G-jz is single-hop and Go is multi- 
hop. Then the EFPRG can be solved for each ip G $ only if 
the following condition holds: 

d((jV(C)) X ) > :=n$. 

<p£<& 

Proof: Equation (5) implies that C v C (A/"(C)) X for 

each p G $. Therefore £<p — (-^(C)) > which implies 

ye* 

that: 



(6) 



Condition (4) implies that V ip,<p' G $, £ v n C v > = 0. 
Therefore: 



rf Em = E d (^)- 

yye* y ye* 
Applying (7) to (6) completes the proof. 



(7) 



The above theorem shows that it is not possible to design 
a residual generator for each <p G $ if the rank of the matrix 
C is smaller than n$. In particular, in system (1) the rank of 
C is 1, and n$ is equal to 1 only if the set $ is trivial, 
namely it contains the equivalence class and just one 
equivalence class p. For this reason, we need to consider 
a more general model for the observability graph. More 
precisely, we consider observability graphs characterized by 



n,s terminating nodes v\, 



with n,s > This can 



be modeled without loss of generality by redefining matrices 
Ao, Bo and Co as in Figure 5: 

where no = Do + ns — 1 is the new dimension of the 
state space. The failure signature maps L v : M. D ° — 



-5, 







are: 



(8) 



(n-ns)xDo _ 

where G (Kq ) D ° and each component 5 V! i(d) is the 
perturbation introduced by a failure tp in the paths of Go 
terminating with node Vi and characterized by delay d. The 
following theorem states necessary and sufficient conditions 
to solve the EFPRG when Go is multi-hop and G-jz is single- 
hop. 

Theorem 6: Let a MCN N and the corresponding faulty 
set $ be given, where G-jz is single-hop and Go is multi-hop 
with ris > n$, terminating nodes. Then the EFPRG can be 
solved for each tp G $ if and only if the following condition 
holds: 

= ra$, (9) 

where the matrix L$ := [ L Vl L V2 ■ ■ ■ ^1*1 ] i s tne 
juxtaposition of all failure signature maps in $ and has 
dimensions ns x n$. 

Proof: We need to state the equivalence between (9) and 
(4). For any tp G *, C v C (^(C))^ and C v C (^(C))^. 



Thus, Lemma 3 implies that: 

S (£y) — £~"ip 



Q N{C). 



Moreover, for any tp G $, £ v n /C v = 0, thus: 

5* (£y) n £ v — (c v + /C v ) n £ v = £ v n c v . 

It follows that (4) is equivalent to the following: 



0. 



(10) 



Since ns > n$ by assumption, then g?(£$) < n$. Since £ v 
are monic, Condition (10) implies that (4) holds if and only 
if d(£<s>) — n$. ■ 

The following theorem characterizes the relation between 
Condition (9) and the topology of Go (vo)- 

Theorem 7: Let a MCN N and the corresponding faulty 
set $ be given, where G-jz is single-hop and Go is multi-hop 
with ns terminating nodes. Then, d(C<s>) — n$ if and only if 
Go(vo) is a tree, where v y is the root node and vi,..., v ns 
are the leaves. 
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Fig. 5. Matrices Aq, an d Co- 



Proof: (sufficiency) Let Go(vo) be a tree, where w y 
is the root node and the terminating nodes v\ , . . . , v ns are 
the leaves. Therefore, for each terminating node Vi,i G 
{1, . . . , ns} there exist a unique a link e, = (u^, w,) G E 1 ©, 
with t; ■ G Vb \ . . . , «ri s }- Define the configurations of £ 73 S p an 
failures /, = {e^},? G {1, ...,715} and the corresponding 
failure signature maps {Lf 17 . . . ,Lf n }, each characterized 
by n s rows and 1 column. Since Go(vo) is a tree, f° r 
each set / G 2 E ° \ . . . , /„ s }, there exist p < n$ and 
ei,...,e p such that Lfmf(kT) = Y^=i L^mf^kT),^ ^ 
0. Since £/ 4 n£/ 3 . ^ for each i,j = 1, . . . , ns, i ^ j, then 
* = {/i,---,/n s } and n$ = n s . Since L fl ,...,L fns are 
monic, then d(£<s>) = n$. 

(necessity) Assume that Go(i]o) is not a tree. 
Then there exist nodes v, v', and t>" such that 
e' = e" = («'» e _E . Define /' = {e'} and 

/" = {e"} In this case, L/' assumes the following form: 



Since L fn can be defined similarly, then: 



u 



(eIv;;,^)) (Eivw rf )) 

0(n-ns)xl 



If 



^»,»l(^) 



0(n— ras)xl 







(n-ns)xl . 



where 5' v . (d) is the contribution on the dynamics (3) of 
all paths starting from v y , terminating in node Vi, passing 
through e', and characterized by a delay d. It follows that: 



Cf D span 



U 







(n-ns)xl 



If a failure occurs in link e', then the contribution 
E?=i ^ on tne dynamics (3) can be decomposed as 

the product of the contributions of all paths starting in v y and 
terminating in v passing through e', and of the contributions 
of all paths starting in v and terminating in v^. Thus, 



Cf D span 



EtV; j ,(rf))'(E"=V,«» s (rf) 

0(n-n s )xl 



It is clear that £ r n £/» ^ 0. If 3fc > : L f ,m r {kT) / 
Lfnmf"(kT), then the configurations of failures /' and 
/" belong to different equivalence classes of $ and thus 
< n*. If L fl m f >(kT) = L/»m/»(fcT), Vfc > 0, then 
the configurations of failures of /' and /" belong to the same 
equivalence class [Lf>mf>] of $, and we can not conclude 
that d(£$) < n$. However, the simultaneous failure of links 
e! and e" belongs to the equivalence class [L/'u/"?ti/'u/"], 
with i/'u/" Lf and Cfuf" H £/' 7^ 0, and thus 
d(£$) < n$. ■ 
Corollary 8: Let a MCN AT and the corresponding faulty 
set $ be given, where G-r, is single-hop and Go is multi-hop 
with terminating nodes. If the EFPRG can be solved for 
each f G $, then ns = n$ and = (A/"(G)) . 

Proof: Straightforward since Go(vo) is a tree, and thus 
to each terminating node Vi,i G {l,...,ns} corresponds 
only one path from v y to v^. ■ 
The necessary and sufficient condition given in Theorem 
7 provides a hard constraint on the topology of Go(r]o) 
induced by the scheduling r\o- This is not surprising, since 
we require to solve the EFPRG for the set $ of all con- 
figurations of failures that perturb the dynamics (3). From 
an implementation point of view, this constraint can be 
both interpreted as hardware or software redundancy. In 
the former case, the tree structure of Go(j]o) provides a 
hardware separation for all paths from v y to the terminating 
nodes. However, a tree communication graph might be not 
always implementable in real cases: therefore, the constraint 
on Go(i1o) can be implemented by using, for those com- 
munication nodes that receive data from multiple incoming 
links, separate memory slots for each of the incoming data. 
These nodes will transmit distinct data for each memory 
slot, thus providing a software separation for all paths from 
v y to the terminating nodes. In general, a combination 
of the above approaches is reasonably implementable in a 
real communication network. An interesting future research 
direction is relating the properties of Go(r]o) with Condition 
(9) when the number of simultaneous failures that can occur 
is bounded, or when failures can not occur in some secure 
paths of the communication network. 
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Fig. 6. Inductive definition of matrix >t 



C. G75 and Go multi-hop 

When both Gn and Go are multi-hop, we need to define 
the set $ = $75. U $e> of equivalence classes that equally 
perturb the dynamics (3). In this case, failures occur in 
both the controllability and observability graphs. Therefore, 
by an appropriate choice of m v (kT), we define the failure 
signature maps associated to the equivalence classes cp-jz £ 
$7j and fo £ $0 by: 







(no+n-p) xn K 
_ 0(n K -l)xn K 







with 5 VK £ (Mo ) a row vector, and 5 vo £ (Kj ) 
as defined in (8). 

We recall that, for each (^75 £ $75 non-empty, 
£^ E = span{e no+nv+ x). Therefore, we will consider 
w.l.o.g. only one failure in the reachability graph, namely 
$ TC = {0 7 ipn} with £ VK = span(e no+nj , +1 ). 

Moreover, by Theorem 7, a necessary condition to solve 
the EFPRG for any cpo £ &<D is that Go is a tree. Therefore, 
we will consider w.l.o.g. a failure in the observability graph 
for each path, namely $0 = Wii ■ ■ ■ 7 <Pn s } with L Vi = 
span(ti). 

The following theorem states that it is not possible to 
detect failures in the controllability and observability graphs 
using the measurements of the observability graph. 

Theorem 9: Let a MCN N and the corresponding faulty 
set $ be given, where G-jz is multi-hop and Go is multi-hop 
with ns terminating nodes. Then the EFPRG is not solvable 
for any ip-ji £ $75 and any tpo £ $0. 

Proof: We first show that S* (C VK ) D C VK / 
0. By Corollary 8, E vo g* A>o = and 
5 *(E voe $ ^o) = by Lemma 3. Since £ VK = 
E V0 ^ £<po> then 5* n C VK ± 0. 

To complete the proof, we need to show that for each 
i £ {1, . . . , n s }, S* (C Vi ) n C Vi 0, with tpi £ $ c . We 
will only provide the proof for i = 1: the same reasoning 
can be used for i £ {2, ... , n s }. 

The space W* is generated by the submatrix 

which consists of the first h columns of the matrix with 
infinite columns inductively defined in Figure 6, and where 



the value of h depends on the terminating condition of the 
CAISA Algorithm. More precisely, h is the smallest integer 
such that rank(span(^>h) C\N(C)) — rank(span(ty h+ {) n 
Af(C)). The above terminating condition occurs at column 
h if and only if one of the following two conditions holds: 
(i) the 1-st row of column h (which is a scalar) is equal to 
zero and column h is linearly dependent on all the previous 
columns 1, . . . , h— 1; (ii) the 1-st row of column h is different 
from zero. We show in the following that condition (ii) will 
always stop the CAISA algorithm before condition (i) can 
occur. 

Let to £ N U {0} be the smallest value such that 
C V A^B V ^ 0. Since {A V ,B V ) is controllable and 
(C-p.A-p) is observable, then m < n-p — 1. Note that the first 
77 s + 1 columns of are already present, since they belong 
to C Vl . The subsequent m columns are linearly independent 
from the previous columns since (A-p,B-p) is controllable 
and m < 7773 - 1. Since the scalar C-pAftB-p ^ appears at 
row 775 + Do — 1 and at column 77,5 + 2 + m, the subsequent 
Do — 2 columns are linearly independent from the previous 
columns. Therefore, column h can be linearly dependent on 
all the previous columns for h > hi = ns + m + Do + 1. 

Let 1 < d\ < Do be the smallest value such that 71 (di) 7^ 
0. Therefore, the 1-st row of will have a non-zero value 
for the first time at row column hi = ns + m + di + 1. Since 
hi < hi, then condition (ii) will always stop the CAISA 
algorithm before condition (i) can occur. Therefore: 



W* (£ Vl ) = span 



I ns -i tpi 
ip 2 
I; 



where I < n — 775, tpi is a 775 — 1 column vector, tp 2 ^ is 
a scalar, and tp 3 is a I column vector. Applying the UOSA 
algorithm, we obtain: 



Si (£ V1 )=W (C V1 )+M(C) 



s* (C V1 ) 



which clearly implies that S* (C Vl ) n £ Vl ^ 0. ■ 

Theorem 9 states that, in order to detect failures in the 
observability graph, the controllability graph must not be 
subject to failures. By a practical point of view, the com- 
munication protocol in the controllability graph is required 
to implement failure detection using handshaking messages 



between nodes and inform the controller about the set of 
faulty links. 
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